The ULTIMATE macOS Privacy & Security Guide!

The ULTIMATE macOS Privacy & Security Guide!

Show Video

Welcome to our macOS Privacy and Security Guide v2, an all-in-one place where you will learn exactly how to make macOS as safe as we can possibly make it. If you have to use macOS for whatever reason, be it creative work, school, or just because you enjoy it, this is the place to be. And we'll have guides for every major operating system linked in the description, that'll be released shortly. So yes, Linux will be there soon. This guide is broken up into three zones.

Zone 1 shouldn't impact day-to-day usage, so I recommend you implement everything within it. Zone 2 will require small changes that may impact convenience, and zone 3 is for those looking to go above and beyond. Most things you read about, like the newest exploits, are almost always patched through updates. The best thing to do, as annoying as they can be, is to utilize automatic updates for your operating system and its programs.

This means using the newest version of macOS, with all automatic updates enabled. If you get programs from outside the App Store, keep those updated as well. Where you obtain software is incredibly important, and probably one of the riskiest things that you do. The App Store has some additional security precautions, and adds an additional layer of verification that you're getting trusted software.

But unlike the Windows Store, this does require an Apple account, so there's a direct trade-off here you need to decide on. The next best alternative from the App Store is to get software officially from the developer's website. Sometimes, services will include an ability to verify the hash of what you downloaded to make sure it's safe.

What we want people to avoid is downloading software from random websites that can lead to a malicious version of something. Just be careful out there. If your device is locked out and requires a password, having a strong password will be your first line of defense. To make this easier, I recommend using a passphrase, something easy for you to remember, but difficult to hack.

As a side note, make sure notifications, as well as any voice assistance and settings toggles are not publicly accessible on your lock screen. Once you set this strong password, you may then have the option to utilize biometrics. These suffer a couple issues. One, they might be easier to crack depending on your configuration, and they fall under different legal jurisdictions in some countries, meaning that you can be forced to unlock your device if it's utilizing biometrics.

But on the flip side, biometrics are convenient, and they may be better than a weak password. And finally, they offer some protection in public from shoulder surfing attacks where people or cameras can observe you type your password. You should assess these pros and cons and ensure you have a secure method of logging into your system. Passwords used on websites are also super important. If you use the same or similar password for all your services, one breach can easily lead to the others being breached since they have the same credentials. Make sure, at least in zone 1, that you're using unique, strong passwords.

I'll leave a source on what that means and different methods of doing it. Zone 2 will go further into techniques to achieve this better, but yes, keeping your account secure can help keep your operating system secure. By default, if you have a Mac with Apple Silicon or an Apple T2 security chip, your data is encrypted automatically by default. However, FileVault provides an extra layer of security by keeping someone from decrypting or getting access to your data without entering your login password. For this reason, we're huge proponents of enabling FileVault on your machines.

Just make sure to store your encryption key in a safe place and that you're consistently backing up data from your machine. Additionally, there's Veracrypt, an open source encryption tool that can let you create encrypted containers to store specific files and situations where your computer is already unlocked. We have an in-depth guide covering how to use Veracrypt to make it easy to understand for anyone. Antiviruses are tricky as they have the potential to improve security with often a detrimental impact to your privacy.

The first thing everyone should do is stop using free antiviruses from a commercial company with no clear business model. Just don't. Up next, we recommend you really don't do anything, since macOS has its own anti-mower that's built in that's extremely effective. The operating system itself has a very sound security model where most things are taken care of for you. We'll cover advanced tips to maximize this in zone 3, but for most people, you do not need a dedicated antivirus tool. We just made a video recently that dives into this a bit more for a deep dive on antiviruses.

Your browser has the ability to track everywhere you go on the internet, so ensuring you're using something with proven security and privacy is really important. Here's the thing, Safari is not terrible, and actually has some neat privacy and security features and is even based on an open source web engine. But there is better. We almost always recommend more robust browsers like Firefox, MOLVAD, Brave, Tor, or anything else in our resources.

We'll talk more about these browsers and your different options down the road. But for now, we recommend just trying to avoid Chrome for privacy's sake. That's a pretty good first step, and even Safari accomplishes that goal. But again, there are better browsers than Safari that we'll cover in later zones. Similar to your browser, your search engine also has the capability of tracking everything you do on the internet, which major companies like Google do.

The three main recommendations we have are Brave Search, DuckDuckGo, and StartPage. So see if you can implement one of those within your browsers, or use something else with privacy and open source in mind like searching. Again, our website's resources include search engines for you to try out. Your IP address uniquely identifies you on the internet, and it's used by websites to track you. A simple way to prevent this is by utilizing a trusted VPN provider to handle your traffic. This is not a required step, but many people in our community see benefit in using a trusted VPN provider.

As for what's trusted, we host open source VPN tools on our website. And our four top recommendations for privacy are MolVad, IVPN, ProtonVPN, and Windscribe. All are open source and implement some of the best transparency in the industry.

I've made some more videos on VPNs if you're curious about them. If for whatever reason you're 100% committed to Apple's ecosystem and you use your Mac with an account, Private Relay is an option in Safari, which is technologically sound and offers good privacy, but the issue is it's only inside Safari. The VPNs we recommend are system wide and will offer protection in far more areas than just your web browser. DNS is a domain name service, and they're like a phone book for the internet, directing you to the sites you visit every day. The problem is most default DNS providers track your browsing, so use a DNS provider with privacy in mind.

If you're using a VPN service, it likely includes its own DNS server, meaning you don't need to worry about this. If you aren't using a VPN, check out the DNS options on our website, which include lots of cool tools. Wolvad's DNS is a great starting point with some nice basic filtering options to keep you safer online.

Firewalls try to make sure that traffic going in and out of your device is safe. On MacOS, there's a built-in firewall that's off by default, so go into your system preferences and just enable the firewall. It's that simple. You can customize it a bit more if you're tech savvy, but just turning it on is pretty good. In addition, you can actually use custom DNS providers similar to what we just covered, but these are things like Next DNS or Control-D. They have native features that can block things like Apple's data collection.

Next DNS specifically has a super generous free plan and is my favorite of these tools. We'll leave a link to it below. In addition to these two strategies, a third way to control your traffic even more is with tools like Lulu. It's an open-source firewall that lets you control domains contacted by software and your operating system. It's a bit of a complicated tool to use at first, but it's incredibly powerful and something I recommend people at least try to use. If you want something a bit more polished, but paid and not open-source, there's Little Snitch, which is the more popular proprietary sister brother, whatever Little Snitch is.

This is broad, but less is almost always more when it comes to security and privacy. Each additional program and setting you utilize increases attack surface and the possibility of abuse with your personal information. If you're a person with a never-ending list of programs that you mostly never use, you should probably just go ahead and uninstall them.

In terms of uninstalling, Pear Cleaner is an open-source app to make this more effective as it uninstalls program remnants. Some programs like Discord have progressive web apps, so if you can utilize the web app within your browser, it'll function like the regular program, but it's also a great way to separate the program and keep it within your browser, which is typically safer and gives you more control than installing it on your operating system. Outside of programs and settings, try to frequently clear data you don't need like old system logs, temporary data like browser cache, history, cookies, and any sensitive data that doesn't need to be on your computer 24/7. Tying into minimalism, there are lots of settings on macOS and its programs you may never use that are pointlessly collecting data about you.

The general rule of thumb is if you're not using it, turn it off. This may include things like Siri, some iCloud features, disabling the remote options in the sharing menu, limiting what spotlight can access, especially spotlight suggestions which sends all your queries to Apple, Apple's analytics, Apple intelligence, and dozens of other settings and features I recommend disabling. Leave a source below with different settings to disable for extra privacy.

As a little detail, no big deal, I contributed those myself in the GitHub repo, which I'm really proud of, so I hope you enjoy it and if it's not helpful, then make a PR to make it better. Now an important detail here is macOS has wonderful permission management. In fact, I would argue probably the best of all desktop operating systems, including Linux, which allows you to severely lock down what a program can and cannot access. Check these permissions carefully and be sure to consistently check to make sure programs only have what they need.

Now with zone 1 out of the way, you're already much safer than the average person, but let's take it a step further and talk about zone 2. FOSS stands for free and open source. This means the software's code is publicly accessible to the community.

It also ensures you can verify the security and privacy behind the software. So in general, I'd advise moving from proprietary to FOSS programs as much as possible. Yes, we know, Henry, macOS is proprietary, we know, but improvements are still improvements. Nothing is black and white in this game.

VPNs we covered earlier are all open source, Signal the Messenger is open source, Firefox and Brave are open source, just go through your list of programs and type each of them into alternative 2.net with the open source filter and see if there's something you can switch to. FOSS will typically respect you better and don't let gatekeepers convince you that just because you're on macOS, you're a lost cause and that these improvements don't matter, because they really do matter when you start to rack them up. Communication is super important. With email, it's recommended to keep email in your browser to add an additional safety layer between an email and your operating system. In regards to what email provider to use, Proton and Tuda are both open source and great starting points.

We'll have links to both providers below. For direct messaging, I recommend something with end to end encryption like Signal or another Messenger listed on our site's resources page. But if you're stuck using something like Facebook Messenger, at least try to enable end to end encryption where you can and try to keep the program off of your computer as well, keeping it inside your browser. Same thing goes for things like Telegram and other less than ideal services that can be used. Not on your browser, not on your operating system. While it's not directly related to macOS, we think having a cleaner online footprint is always beneficial for your privacy and security.

So make sure you're using multi-factor authentication on your accounts for mac security and say Auth and Ubiquis are both compatible on macOS if you need them on your system. Opt out of data collection whenever possible, use tools like Ublock Origin in your browser or AdGuard if Safari and minimize or delete invasive accounts like Facebook, TikTok and others. The less accounts you have online, the better. And for the accounts you have, we recommend using as little data as possible.

And when that data is required, we recommend aliasing tools like SimpleLogin for email, MySuda for numbers and Privacy.com for card numbers. We list all our recommended aliasing services on our website's resources. On this note, it's a good time to remind you that you don't need an Apple account to have most of the functionality on your Mac. Reducing or outright removing your dependence on your Apple account can enable you to be freer with where you store your data as Apple implements lots of lock-in strategies and assuming you're migrating to more trusted services in its place, your privacy and security can actually greatly benefit. And that's actually where things get complicated now. Because since our last video, Apple released Advanced Data Protection, which introduces end-to-end encryption for a majority of the iCloud suite.

This means that users who enable ADP, which we do recommend, get a fairly secure, yet very convenient security boost with tools like FindMy that can actually be very important for security. But this is all at the cost of going further into the Apple ecosystem, which introduces a tough choice for users who may struggle to find that equally capable, if not better, encrypted alternative outside the Apple ecosystem. It's a really tough spot to be in right now. So we made a good, better and best ranking, which is as follows. Good.

The good is you can just go all in on iCloud with ADP enabled and be sure to use separate end-to-end encrypted services in the three areas Apple doesn't cover, which are contacts, calendar and email. If you find three encrypted alternatives in those three places, you fundamentally get end-to-end encryption for everything. What's better is to use iCloud more selectively for areas you can't find better alternatives for. Perhaps you only use iCloud Drive, but you're able to find encrypted alternatives to everything else. You can't find great, not as much as locked into the Apple ecosystem, and you still find good alternatives elsewhere with end-to-end encryption. Best case scenario, you successfully find trusted end-to-end encrypted alternatives to each part of this new iCloud ADP suite, ensuring you have end-to-end encryption wherever possible without the need for that Apple account.

Not everyone has the same requirements, so it's kind of hard for us to make a call on behalf of you, but we hope that that information in combination with the services on our site's resources can help you figure out what's possible in your life. Again, this is all based on the assumption that you enable ADP, otherwise we wouldn't really recommend iCloud at all. Another big thing Apple did since our last video is lockdown mode, which is a security feature in Mac OS designed to protect against highly targeted attacks. It restricts functionality by disabling features in Safari and messaging apps, limiting USB device connections and more with the intent of reducing attack surface on your computer. We generally recommend most people in zone 2 to enable lockdown mode to fully benefit from all of Apple's native security protection. We've made a dedicated video on lockdown mode that explains all its changes and how it works.

Outside using strong and unique passwords, which we covered in zone 1, where and how they're stored can be incredibly important as well. Password managers are a commonly recommended way to go, so if you want simple cloud syncing between your devices, check out Bitwarden and Proton Pass, both are open source. If you want a more DIY password manager, there's KeyPass, which is also open source and gives you more controller things. More specifically, Strongbox is our recommended Mac OS client for KeyPass users, and we just made a top 4 best password managers video that I'll leave here as well if you want to see all our best choices.

Part 2 of browsers is to take things to the next level. I'd recommend sticking to strictly open source browsers like Tor, Firefox Brave and Mulvath, and properly hardening each browser for the absolute best safety. We cover Firefox hardening in a dedicated video, and have covered how I use multiple browsers in another video that should give you a lot more ideas on how to choose and utilize multiple browsers for different use cases. Radios apply to anything that gives off a signal on your computer.

This means predominantly Wi-Fi, Bluetooth, and GPS. We'll cover the more extreme solutions in zone 3, but for zone 2, just try disabling Bluetooth and location when they're not being used. Bluetooth for one can be an insecure protocol and has some privacy concerns. The general rule of thumb for radios is if it doesn't need to be on, just turn it off.

The last radio you should be aware of is Wi-Fi. Your device broadcasts a unique ID called a MAC address. Not to be confused with a Mac, this is its own thing that all computers have.

But this unique address can be used to track you between Wi-Fi networks. So try to randomize your MAC address, which is now an option in Mac OS, just make sure it's on, and be sure to utilize it. Macs offer multiple user accounts.

You can use these to compartmentalize or separate different aspects of your life. Maybe you have a business account, school account, dating account, and then your personal account. The options are limitless. The goal here is to separate aspects of your life that don't need to be intermixed, for both privacy and security benefits. Additionally, for those who want to go above and beyond, you can have an administrator account and then a standard user account, and stick to only using the standard user account for your daily usage as a nice security perk. This prevents rogue applications, malware, or anything else from utilizing that admin access to damage your system.

Some extra tips in regards to hardware security. Make sure you enable File Vault, as shared in Zone 1. That's a good starting point. Consider locking your desktop or laptop to a desk or wall if this is an option.

And while we do believe in device longevity and making things last as long as possible, it seems pretty evident that Apple's new silicon chips are a noticeable upgrade for security over prior Intel chips. So we do recommend people try to migrate to Apple silicon whenever possible. Additionally, consider covering your cameras to prevent the theoretical camera hack where someone spies on you through your camera. Cover them up if you never use your cameras or are on a MacBook, or that's not something we recommend for Apple reasons, just use tape.

A nice thing with desktops is they normally don't have a webcam like laptop to do, so you can instead rely on an external webcam with a great amount of peace of mind once it's unplugged. Finally, consider utilizing a privacy screen protector. These make it so it's difficult to view your device's screen from side angles, protecting your personal information from snoops and shoulder attacks. The main downside is they can affect the display quality just slightly, but that's just a minor drawback. I'll leave a link in the description with some screen protectors for you to take a look at.

This is it everybody. Zone 3, you made it to the end. And like I said earlier, this is for the extreme users looking for the utmost security and privacy on their devices. Hardening is when you're going to improve the security and privacy of macOS through several advanced configuration changes.

Even if you turn off all the settings and you've done everything else in this guide, you've done a great job, but Apple still can collect some data about your system, and this can be improved upon. A disclaimer on hardening is that there is no universally agreed upon best way to harden, so it goes without saying that these tools should be used with caution and only after extensive research for each individual. The efficacy of them is also not fully understood across all users.

First, Objective-C is such an easy to recommend, safe way to harden macOS devices. They're actually the developers behind Lulu that we mentioned earlier in the video, but they develop many other privacy and security tools that are designed to do things like prevent ransomware, alert you about mic and camera activations, check for persistently installed software, malware execution patterns, evil made attacks, and more. They have so much stuff. And did I mention everything they do is open source? Cause it is.

Now, beyond Objective-C, the best, most evidence-based, and most updated macOS hardening guide is still what it was years ago, but it's been updated since then, which is Dr. Does macOS security and privacy guide. This covers every little detail about macOS and the countless more sophisticated ways to improve security beyond what we've covered in this video guide. It goes without saying you should proceed with caution, though they are very good about detailing pros and cons and any issues that may come up.

Link is below for you to dive into that hardening guide. Finally, just to give you some extra tips, there are still those pesky cameras and mics, and if you really don't trust them, you can consider removing them. Depending on your laptop model, this can be simple or advanced. You can also snip the microphone and stick to only using the microphone on your earbuds, but keep in mind that you will surely piss off Apple Genius people. They will avoid your warranty. There are also tools like Buskill that can provide a dead man switch for your device to trigger a shutdown if the computer is removed without your permission.

It's a really nifty tool that we just did a review on. And finally, as nice as macOS can be, sometimes the easier option, depending on who you are, is to just switch your OS, gatekeeping aside. So here are some things you can do or implement into your life if you don't feel that macOS prioritizes your needs. First, virtual machines.

We've covered using virtual machines for improving privacy and security in Go and Cognito, of course, and it stands true for this video as well. You can use Linux as a guest OS on your computer. UTM and Parallels are both fantastic VM solutions that offer almost native-like performance.

I actually love these a lot. They're my favorite VM softwares on any operating system. The second tip, though, is utilize multiple devices for different things. Perhaps a desktop at home runs macOS for work, but your personal machine runs Linux, or vice-versa. Just getting creative with multiple machines is an option.

Third, this is experimental, but as this guide ages, I hope that this advice will age well. Fedora Asahi Linux is currently an experimental, though legitimate way of installing Fedora natively on Apple Silicon. There are still missing features, and it's a bit unreliable at the time of recording, so don't just install this willy-nilly, but it could end up becoming a wonderful solution in the long run in my attempt to try to future-proof this guide a little bit. And that is it. That is how you make macOS as private and secure as you can.

It's important to emphasize, I always gotta say this, that improvements are improvements, and you shouldn't just listen to people who immediately dismiss mac devices without understanding why you, yourself, may be dependent on it. The OS you choose is your choice, we're just trying to help out where that's possible. And to speak to that, we will cover other devices like Linux, Windows, iOS, and Android, all are linked in the description. Coming soon is also where all-encompassing become anonymous guide.

If a broader advice applicable to everything, and if you want an even deeper dive into the world of privacy, our Goan Cognito course is a great way to not only learn to ropes, but finish feeling confident in yourself. V2 will be going live in the near future, and we hope to continue making digital rights education as easy as possible. Don't forget to like and subscribe, and a massive thanks to our supporters who believe in our mission. Support what we do on Patreon, and through our forum and through Patreon, you get access to a private signal group for just our little tight-knit community for all you supporters as a way to give back to you.

Thanks for watching, and go check out this video to learn more about your privacy and security. We'll see you there, we'll see you next time on TechWarm, and thanks for watching. Bye. [Music] [End of Audio] [Music] [Music] [MUSIC]

2025-02-02 16:20

Show Video

Other news

Нейро технологии и новая глава разума #ai #technology #brain #tesla #bmw #oxford #harvard 2025-02-13 04:51
You ever seen Cat OS? Connecting to the Internet in 2025 2025-02-14 04:30
X1 vs XL: AMS vs Toolchanger - What's better? 2025-02-11 16:00